[Swan] XFRMi Interface route based IPSec with right=%any

Rav Ya ravin.ya90 at gmail.com
Tue Apr 28 23:32:00 UTC 2020

Hi Paul,

Thank you for your time.

Setting all the connections to "overlapip=yes" did not help. I am still
seeing the same “route already in use” error.
Any other suggestions? or workaround that might work?

Apr 28 19:13:40.288938: | route owner of "gateway02"[1] unrouted:
"gateway01"[1] erouted; eroute owner: "gateway01"[1]
Apr 28 19:13:40.288946: "gateway02"[1] #7: cannot route -- route
already in use for "gateway01"[1]

If I understand correctly the next release (v3.32) will not have the legacy
KLIPS and shall support overlapping IPs. Is there a rollout date for the
next release?
Also, if I build the master branch I should not see this issue. Right?

-Rav Ya

On Tue, Apr 28, 2020 at 6:34 PM Paul Wouters <paul at nohats.ca> wrote:

> On Tue, 28 Apr 2020, Rav Ya wrote:
> > Question: With this configuration, my the first tunnel comes up
> successfully but my second tunnel
> > fails with “route already in use” error?
> That is a bug. Can you try adding overlapip=yes to all connections ?
> > Given that I have two different XRFMi interfaces shouldn’t we allow
> route ( ->
> > subnets) for individual XFRMi to run iBGP? What am I missing? Any
> recommendations please?
> It is because the legacy KLIPS stick did not support overlapping IPsec
> connections. We are about to rip out KLIPS, but got delayed by a few
> releases, so it is still in the last release (although it has been
> ripped out in git master).
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200428/ead024f9/attachment.html>

More information about the Swan mailing list